Security of the gpg private keyring?

Robert J. Hansen rjh at
Mon Feb 28 17:27:34 CET 2011

On 2/28/11 9:09 AM, David Shaw wrote:
> You can do quite a lot with stuff like this.  Who signed who can
> tell you who this person has met, and often where.

It should be emphasized that *can* is not the same thing as *does*; and
it doesn't necessarily allow you to do it with a high degree of
confidence.  Not that I'm disagreeing with David here: I just want to
make sure people don't misinterpret.

> Robert and I did an experiment a few months ago where starting only
> from his public key, I was easily able to find out real-world
> addresses, parents names, siblings, etc.

This was, IMO, ultimately an ambiguous result.  There is nothing that he
was able to derive from my certificate that he couldn't have figured out
from visiting my webpage, reading the GnuPG archives, and so forth.  The
usefulness of the certificate as a source of data was not
well-established, IMO: the usefulness of OSINT was quite well-established.

Rather than rehash the old debate, read the original discussion:

More information about the Gnupg-users mailing list